b'                     BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM\n                         BUREAU OF CONSUMER FINANCIAL PROTECTION\n\n\n\n\n                                           November 15, 2011\n\nMr. Chris Willey\nChief Information Officer\nBureau of Consumer Financial Protection\nWashington, D.C. 20220\n\n        The Federal Information Security Management Act of 2002 (FISMA) requires federal\nagencies, including the Bureau of Consumer Financial Protection (CFPB), to develop, document,\nand implement an agency-wide information security program. FISMA also requires each\nInspector General (IG) to conduct an annual independent evaluation of its agency\xe2\x80\x99s information\nsecurity program and practices, to include testing controls for a subset of systems. The CFPB is\nrelying on the information security program and computer systems of the Department of the\nTreasury (Treasury). As part of its 2011 FISMA audit, the Treasury Office of Inspector General\n(OIG) evaluated the effectiveness of Treasury\xe2\x80\x99s information security programs, including\ncontrols for 15 systems across Treasury bureaus. One of the systems included in the Treasury\nOIG\xe2\x80\x99s FISMA review was a general support system that the CFPB is relying on for network\ninfrastructure and connectivity to support a number of applications. To meet our annual FISMA\nreporting responsibilities for the CFPB and avoid duplication of effort, we relied on the FISMA\nwork performed by the Treasury OIG. Appendix 1 summarizes the results of the Treasury OIG\xe2\x80\x99s\nFISMA review, as it pertains to Treasury\xe2\x80\x99s information security program and the general support\nsystem on which the CFPB is relying.\n\n        The Treasury OIG contracted with KPMG LLC, an independent certified public\naccounting firm, to perform its 2011 FISMA audit. Overall, KPMG concluded that Treasury\xe2\x80\x99s\ninformation security program and practices for its non-Internal Revenue Service (IRS) bureaus\xe2\x80\x99\nunclassified systems were generally consistent with the requirements of FISMA. KPMG noted,\nhowever, that \xe2\x80\x9cTreasury\xe2\x80\x99s information security program was not fully effective,\xe2\x80\x9d as evidenced by\ncontrol weaknesses identified for various Treasury systems. 1 Treasury can improve the\neffectiveness of its information security program and controls for the general support system that\nCFPB relies on by strengthening risk management, configuration management, and contingency\nplanning controls.\n\n        As part of an agency\xe2\x80\x99s annual FISMA reporting, the Department of Homeland Security\n(DHS) requests that both the Chief Information Officer (CIO) and IG perform an analysis of\ncertain agency information security program components. 2 For IGs, these components include\nrisk management, continuous monitoring, security configuration management, security training,\ncontractor oversight, contingency planning, incident response and reporting, and security capital\n        1\n          KPMG LLC\xe2\x80\x99s Fiscal Year 2011 FISMA Performance Audit of The Department of the Treasury\n(November 2011).\n        2\n          DHS Federal Information Security Memorandum 11-02, FY 2011 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management (August 24, 2011).\n\x0cMr. Chris Willey                             2                             November 15, 2011\n\n\nplanning. Our responses to DHS\xe2\x80\x99s questions in these areas will be transmitted under separate\ncover and will reflect KPMG\xe2\x80\x99s findings for Treasury\xe2\x80\x99s information security program and the\ngeneral support system CFPB relies on. CFPB officials informed us that, in consultation with\nDHS, CFPB, as a recently established federal agency, will start reporting on these components\nduring the second quarter of fiscal year 2012.\n\n        We provided a draft of this report to the CFPB CIO, and his response is included as\nappendix 2. In his response, the CIO stated that the CFPB continues to leverage certain services\nprovided by Treasury as an interim means to maintain operational efficiencies. The CIO also\nnoted that a key component of CFPB technology independence is a robust and comprehensive\ncybersecurity program. The CFPB\xe2\x80\x99s cybersecurity program is aligned to the risk management\nframework developed by the National Institute of Standards and Technology (NIST). As a\nnewly established agency, the CFPB is working steadily to develop and mature its internal\nfunctions and processes to include the many facets of technology management.\n\n         This report will be added to our publicly available web site and will be summarized in\nour next semiannual report to Congress. We appreciate the cooperation we received from the\nCFPB and Treasury during our review. We will continue to monitor and report on the CFPB\xe2\x80\x99s\nefforts in establishing an information security program as part of our responsibilities under\nFISMA. Please contact me at 202-973-5003 if you would like to discuss this report or any\nrelated issues.\n\n                                           Sincerely,\n\n\n\n\n                                     Andrew Patchan Jr.\n                    Associate Inspector General for Audits and Attestations\n\ncc:    Catherine West, Chief Operating Officer, CFPB\n       Zachary Brown, Acting Chief Information Security Officer, CFPB\n       Marla A. Freedman, Assistant Inspector General for Audit, OIG, Treasury\n\x0cAPPENDIXES\n\x0c\x0c                                                                                                APPENDIX 1\n\nThis appendix summarizes the results of the Treasury OIG\xe2\x80\x99s FISMA review, as it pertains to\nTreasury\xe2\x80\x99s information security program and the general support system on which the CFPB\nrelies.\n\nBACKGROUND\nFISMA provides a framework for ensuring the effectiveness of information security controls\nover information resources that support federal operations and assets. 3 FISMA requires federal\nagencies, including the CFPB, to develop, document, and implement an agency-wide\ninformation security program. This program is to provide security for the information and\ninformation systems of the agency, including those provided by another agency, contractor, or\nother source. FISMA further requires each agency IG to perform an annual independent\nevaluation of its agency\xe2\x80\x99s information security program and practices, to include testing controls\nfor a subset of systems.\nThe Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) established the\nCFPB as an independent and autonomous entity within the Federal Reserve System. 4 Under\nDodd-Frank, the CFPB is charged with ensuring that markets for consumer financial products\nand services are fair, transparent, and competitive. Dodd-Frank assigned the responsibility for\nperforming certain CFPB functions to the Secretary of the Treasury until a Director for the CFPB\nis in place. 5 In addition, Dodd-Frank established our office as the IG for the CFPB.\nThe CFPB relies on and is leveraging Treasury\xe2\x80\x99s Departmental Offices\xe2\x80\x99 (DO\xe2\x80\x99s) information\nsecurity program, policies, procedures, and systems until it matures as an organization and can\nperform these functions on its own. DO, while not an operating bureau of Treasury, 6 consists of\noffices that are primarily responsible for the formulation of policy and Treasury-wide\nmanagement issues, including the provision of information technology and administrative\nsupport to Treasury bureaus. With respect to FISMA, Treasury has established overall\ndepartment-wide information security policies, and each Treasury bureau and DO operate and\nmaintain their own information security program. The CFPB entered into an agreement with DO\nfor the provision of administrative services, including facilities, computer systems, and\ninformation security.\nThe Treasury OIG, as part of its responsibilities under FISMA, performs an annual independent\nevaluation of Treasury\xe2\x80\x99s information security program and controls for select systems. The\nTreasury OIG contracted with KPMG LLP, an independent certified public accounting firm, to\nperform its 2011 FISMA evaluation. To perform this evaluation, KPMG evaluated the policies\nand procedures established for Treasury\xe2\x80\x99s information security program and those established for\n3\n  Title III, Pub. L. No. 107-347 (December 17, 2002).\n4\n  Title X, Pub. L. No. 111-203 (July 21, 2010).\n5\n  As of the date of this report, a Director for the CFPB has not been confirmed by the Senate.\n6\n  Treasury consists of the following 12 operating bureaus: Alcohol and Tobacco Tax and Trade; Engraving and\nPrinting; Public Debt; Community Development Financial Institution Fund; Financial Crimes Enforcement\nNetwork; Financial Management Service; Inspector General; Treasury Inspector General for Tax Administration;\nInternal Revenue Service; Office of the Comptroller of the Currency (OCC); Office of Thrift Supervision (OTS);\nand U.S. Mint. As a result of Dodd-Frank, the functions of OTS were transferred to the Board of Governors of the\nFederal Reserve System, the OCC, and the Federal Deposit Insurance Corporation effective July 21, 2011.\n\n\n                                                        5\n\x0c                                                                                    APPENDIX 1\n\nTreasury\xe2\x80\x99s operating bureaus and DO. KPMG also tested controls for select systems across\nTreasury\xe2\x80\x99s bureaus and DO, including a DO general support system that the CFPB relies on to\nsupport a number of applications. This general support system provides the CFPB with the\nnetwork infrastructure, including routers, firewalls, and other security devices, needed to access\nthe Internet and connect with various Treasury systems. This system also supports the desktop\nand laptop computers that CFPB employees utilize.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nKPMG reported that its objectives for its 2011 FISMA audit of Treasury were to determine the\neffectiveness of Treasury\xe2\x80\x99s information security programs and practices for the period July 1,\n2010, to June 30, 2011, for Treasury\xe2\x80\x99s unclassified systems. This included a determination as to\nwhether non-IRS Treasury bureaus had implemented (1) an information security program,\nconsisting of policies, procedures, and security controls consistent with the FISMA legislation;\nand (2) the security controls catalog contained in NIST Special Publication (SP) 800-53, Rev. 3,\nRecommended Security Controls for Federal Information Systems and Organizations. To meet\nour FISMA reporting responsibilities for the CFPB and to avoid duplication of effort, we relied\non the work performed by KPMG as part of its 2011 FISMA audit of Treasury. Specifically, we\nrelied on the work performed by KPMG with respect to its evaluation of DO\xe2\x80\x99s information\nsecurity program and controls for a DO general support system that the CFPB utilizes.\nKPMG reported that it conducted its FISMA audit of Treasury\xe2\x80\x99s information security program in\naccordance with generally accepted government auditing standards (GAGAS). Those standards\nrequire KPMG to plan and perform the audit to obtain sufficient, appropriate evidence to provide\na reasonable basis for the findings and conclusions based on the audit objective. To meet\nGAGAS requirements for relying on the work of others, we performed appropriate procedures,\nincluding\n\n       \xe2\x80\xa2   Obtaining evidence on the qualifications and independence of KPMG staff\n           performing the FISMA audit of Treasury;\n       \xe2\x80\xa2   Reviewing Treasury OIG\xe2\x80\x99s FISMA audit plan, KPMG\xe2\x80\x99s audit report, and KPMG\xe2\x80\x99s\n           workpaper documentation;\n       \xe2\x80\xa2   Meeting with Treasury OIG officials to gain an understanding of how they perform\n           their FISMA oversight of Treasury\xe2\x80\x99s information security program, including\n           reviewing the work performed by KPMG; and\n       \xe2\x80\xa2   Discussing KPMG\xe2\x80\x99s audit approach and results with KPMG staff.\n\nOur audit scope was focused on summarizing the work KPMG performed with respect to its\nreview of DO\xe2\x80\x99s information security program and controls for the DO general support system\nthat CFPB utilizes. We also utilized KPMG\xe2\x80\x99s results for their review of DO\xe2\x80\x99s information\nsecurity program and controls for the DO system to respond to specific questions that DHS has\nrequested IGs to address in their 2011 FISMA reporting. We will provide our analysis of DHS\xe2\x80\x99s\nspecific questions under separate cover. Our scope did not include an evaluation of all the work\nKPMG performed as part of its overall FISMA audit of Treasury\xe2\x80\x99s information security program.\nWe also did not analyze information technology that CPFB is developing beyond what is\nprovided by Treasury and reviewed by KPMG in 2011.\n\n                                                 6\n\x0c                                                                                    APPENDIX 1\n\nFINDINGS, CONCLUSIONS, AND RECOMMENDATIONS\nOverall, KPMG concluded that Treasury\xe2\x80\x99s information security program and practices for its\nnon-IRS bureaus\xe2\x80\x99 unclassified systems were generally consistent with the requirements of\nFISMA. KPMG also concluded that DO had established and implemented an information\nsecurity program, common security policies, and procedures based on NIST and Treasury\nguidelines. KPMG noted, however, that Treasury\xe2\x80\x99s, including DO\xe2\x80\x99s, information security\nprograms \xe2\x80\x9cwere not fully effective,\xe2\x80\x9d as evidenced by control weaknesses identified for various\nTreasury systems. With regard to the DO general support system that CFPB relies on, KPMG\nreported the following two findings and associated recommendations, in support of its\nconclusion that Treasury\xe2\x80\x99s, including DO\xe2\x80\x99s, information security program was not fully\neffective.\n\n       \xe2\x80\xa2   The system security plan did not include all required security controls as specified in\n           NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information\n           Systems and Organizations, dated August 2009. To address this finding, KPMG\n           recommended that DO management instruct the vendor operating the general support\n           system to update the system security plan to include NIST SP 800-53, Rev. 3 security\n           controls and associated control enhancements.\n\n       \xe2\x80\xa2   High risk vulnerabilities identified in a vulnerability scan report for the DO general\n           support system were not remediated within 30 days, as required. To address this\n           finding, KPMG recommended that DO management direct personnel charged with\n           remediating vulnerabilities to track open, unresolved vulnerabilities in system plans\n           of actions and milestones when the anticipated remediation will exceed 30 days.\n\nKPMG also identified two additional control deficiencies for the DO general support system on\nwhich CFPB relies. KPMG did not classify these as findings, since DO management had already\nidentified these weaknesses and had identified corrective actions to address them. These control\ndeficiencies were (1) the Federal Desktop Core Configuration standard was not implemented for\ndesktop computers and a waiver was not obtained to implement a different standard; and (2) a\nbackup process for configuration files residing in firewalls, intrusion prevention systems, routers,\nand switches had not been established.\n\n\n\n\n                                                 7\n\x0c\x0c                                           APPENDIX 2\n\nChief Information Officer\xe2\x80\x99s Comments\n\n\n\n\n                                       9\n\x0c'